Hi!
With the release of THC-SSL-DOS tool, a popular work-around is to
disable SSL renegotiation. It seems to be a non trivial task with
OpenSSL as there is no flag to use to disable renegotiation. Looking at
how it is done in Apache and nginx, I have concluded that the only way
to disable renegotiation is to intercept the beginning of an handshake
in info_callback and try to tear down the connection from here.
I have written this patch for stud that seems to work fine:
https://github.com/vincentbernat/stud/commit/5317e3cb096a67409405e0d4c4789c0ac292076c
Is there a better method?
I would like to write something similar for stunnel. Unfortunately,
while stud, nginx and Apache were event-driven, stunnel is threaded: an
SSL handshake can happen inside a SSL_read() call. Tearing down the
connection inside info_callback does not work (with SSL_shutdown()). Is
there an example of non-event-driven program where renegociation has
been disabled that I could use?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org